How to secure Connection Strings
Secure your Connection String
If you have a website in a Shared web hosting service you should be worried about that the website maybe get hacked. Here what really happens is a user makes a HTTP request, your web application processes the request including connecting to the database, and returns the result to the user . Sending the connectionstring over HTTP will be just as plain text.
Encrypt or Decrypt Connection Strings in a web.config file
The connection string in the Web.config file contains sensitive information of database such as connectionstring parameters. To avoid these problems you can improve the security of sensitive information stored in a connection string by using built in protected configuration model functionality to encrypt or decrypt few sections of a web.config file .
How to encrypting the connection string in ASP.NET ?
You can encrypt the connectionstring section of a web.config file by using aspnet_regiis.exe command line tool, so it is never stored as plain text. This file is located in the %systemroot%\Microsoft.NET\Framework\versionNumber folder and you can use with -pef option. Consider you have an application named as MyWebApp. You can encrypt the connectionStrings section of the Web.config file by using aspnet_regiis.exe as follows :
-pef indicates that the application is built as File System website and second argument connectionStrings indicates the name of configuration section needs to be encrypted and the third argument is the physical path where the web.config file is located.
If you are using IIS based web application the command will be,
The -pe option, passing it the string "connectionStrings" to encrypt the connectionStrings element.
The -app option, passing it the name of your application.
After running the tool successfully .. you will receive a message "Encrypting configuration section...Succeeded!"
How to decrypt the connection string in ASP.NET ?
When you want to decrypt the encrypted Web.config file, run the aspnet_regiis.exe tool with the -pd option. The syntax is the same as encrypting Web.config file contents with the -pe option except that you do not specify a protected configuration provider.
- Frequently Asked Interview Questions - 1
- Frequently Asked Interview Questions - 2
- Advantages of ASP.NET Web Development
- What is IIS - Internet Information Server
- What is Virtual Directory
- What is HttpHandler
- Page Directives in Asp.Net
- What is a postback
- What is IsPostBack
- What is global.asax
- Difference between Machine.config and web.config
- Difference between HTML control and Web Server control
- What is Query String
- Difference between Authentication and Authorization
- What is ASP.Net tracing
- Passing values between Asp.Net pages
- Differentiate between client side validation and server side validation
- How to Get host domain from URL
- Adding a Favicon To Your Website
- AutoEventWireup attribute in ASP.NET
- Can I use multiple programming languages in a ASP.net Web Application?
- Difference: Response.Write and Response.Output.Write
- How many web.config files can I have in an application?
- What is Protected Configuration in asp.net?
- Static variables, what is their life span?
- Difference between ASP Session and ASP.NET Session?
- What does mean Stateless?
- What is the Difference between session and caching?
- What are different types of caching using cache object of ASP.NET?
- Which method is used to remove the cache object?
- How many types of Cookies are available in ASP.NET?
- What is Page Life Cycle in ASP.net?
- What is the code behind and Inline Code in Asp.Net?
- What is master page in ASP.NET?
- Can you change a Master Page dynamically at runtime?
- What is cross-page posting in ASP.NET?
- How to redirect a page in asp.net without performing a round trip ?
- How to register custom server control on ASP.NET page?
- How do you validate Input data in Asp.Net?
- What's the difference between ViewData and ViewBag?
- Difference between Response.Redirect and Server.Transfer
- What is the function of the CustomValidator control?
- Define RequiredFieldValidator?
- Difference between custom control and user control
- Difference between Label and Literal control in ASP.Net
- What are the major events in Global.Asax file?
- What is Event Bubbling in asp.net ?
- What is Delay signing?
- What is the difference between in-proc and out-of-proc?
- What is the difference between POST and GET?